Communications data is always sensitive. This is why, for instance, there is no point in protecting your email while it is being sent if any company hosting your email can read it once it arrives to your inbox, for example to target you with advertising. Therefore EDRi supports the protection of communication data both when it is in transit and at rest. The proposed Article 5 in the European Parliament (EP) version of the e-Privacy Regulation proposal protects “any interference with electronic communications”, including “data related to or processed by terminal equipment”. This is an important step in the right direction.

Consent as the only legal basis for processing (Art. 6)

Informed and free consent should be the sole legal basis for non-necessary processing of such data. Because of the intricate way online tracking works, only users who are fully informed (and free to make the choice) could allow that by consenting to that feature, if it is in their interest.

Privacy and devices protected by design and by default (Art. 10)

As happens with any other device that may create risks for the user, safety and security need to be part of the design and not an after-thought.This is why we need privacy by design and by default. Article 10 of the proposal states that all software allowing electronic communication should, “by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment”.

The security of devices are also covered by Article 8 that restricts the use of end-users’ terminal equipment to what is strictly necessary, subject to consent.

Restrictions of users’ rights (Art. 11)

Article 11 limits restrictions to vague general public interests such as national security, defence and public security, but the EP has done a better job at being specific in the three sub-articles. Furthermore, Article 11 also contains provisions to ask for mandatory documentation on the requests to access communications by Member States.

Protection of encryption (Art. 17)

In order to protect citizens’ privacy and the safety of their electronic communications, it is fundamental to ban any attempts to undermine encryption. Article 17, on security risks, states that Member States cannot weaken encryption, for example by forcing companies to include ”back-doors” in their products.

The European Parliament has done a good job with its improvements to the text. Thanks to the strong position of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) and citizens’ mobilisation, the European Parliament voted for a strong text that will protect citizens’ privacy and communication. However the fight is not over yet: the Commission, the Council and the Parliament have yet to reach an agreement during the obscure process called trilogues. The final text will be passed in the Plenary of the European Parliament in 2018, tentatively after the summer.